How Windows Is Making Your Face Your Password

Passwords have long been the nuisance of security, and also the laughingstock. Most of us have, at one time or another, made a password that includes our birthday (a bad idea), our name (another bad move), or simply just used “password” (the worst tactic of them all). Hopefully with added prompts from applications that require certain lengths, numbers, and symbols, the passwords you’re using now are a little more secure than those options. However, they’re still a pain to remember, especially if you’re following common wisdom and trying to use different passwords for each platform.

In the latest of a string of companies attempting to make life simpler, Microsoft announced on March 17 it would include biometric authentication as parts of its “personal computing” initiatives. The technology is designed to work in two ways. First, any Windows 10 device will be able to unlock based on a scan of your fingerprint, face, or iris. Then, using a second layer, you can log on to Microsoft Passport, again scanning your selected biometrics. Passport will give you access to the online applications you use, including email, bank accounts, and more. Windows 10 essentially is able to sign you in to all of those sites, without ever sending a password over a network.

Microsoft is the most recent of several companies that have developed biometric technology as a means to replacing passwords or PINs. Every iPhone 6 has Touch ID capabilities, and USAA announced it would be the first banking institution in the United States to offer biometric recognition on its app. “The use of multifactor authentication through biometrics is one of the most effective ways to increase security protection as traditional passwords become increasingly obsolete,” said Gary McAlum, USAA’s chief security officer. In that case, account holders’ faces can be read on the screen or use voice recognition software to access their information. The phasing in of that program is already available in several states.

In all of these cases, the effort is to be faster and more secure at the same time. But is that the case with biometric data? An article in Scientific American claims that the shift toward using such personal data is asking for even larger breaches in privacy. It’s one thing to change a credit card number, the article contends, but the patterns on your thumbprint and iris are yours for life. What’s more, the legal status of protecting such data is largely unclear. No court has addressed whether law enforcement — or anyone else — can collect biometric data without the person’s knowledge, and case law says nothing about facial recognition software.

Nothing is 100% secure, as Sandeep Sood, the CEO of technology firm Monsoon, wrote in a post for The Financial Brand. “When it comes down to it, security is just a never-ending war between good guys and bad guys, with each side stealthily inching ahead of the other by a few millimeters, before the other catches up and figures out a new trick,” he wrote. But platforms, especially financial institutions, that use more than one method of biometric authentication will be much more secure overall, he said. In Monsoon’s research on the topic, Sood said that customers believe companies have access to their biometric data, whether or not they’re actually storing it somewhere. So the key is to make sure consumers are comforted by the level of security in setting up the device.

Microsoft staffers spend more than half of the introductory video (seen above) talking about the levels of security and privacy for the biometric data it will collect. “Of course, convenience and simplicity should never sacrifice security and privacy,” the company writes in its blog post. The company has developed its technology to an “enterprise grade” status that uses infrared technology to recognize your face when you attempt to use your device. It’s able to tell if someone is trying to impersonate you, or holding up a photo instead. The infrared advances also makes sure the device can still tell it’s you, even in different lighting conditions or if you’ve decided to grow a beard or wear your makeup differently.

Ian Waldie/Getty Images

“Windows Hello was designed with privacy in mind,” said Scott Evans, a Microsoft team member, in the video. The biometric data is stored locally, meaning it’s only on your device, not Microsoft servers somewhere. So the only way a hacker could use the hardware is if they first stole the device and then used your real fingerprint, iris, or face. Essentially, you’d have to give it to them.

The technology is at a point where it has a 1 in 100,000 false accept rate, Evans explained, meaning it is highly foolproof. The company is also a part of the FIDO Alliance, a nonprofit group with a goal of transitioning the private sector into security that isn’t based solely around passwords. This isn’t just a concern of a few companies, as Microsoft attended the White House Cybersecurity and Consumer Protection Summit at Stanford University in February to discuss the shift toward new forms of security.

For all of that, however, Microsoft is still leaving room for the skeptics. “Using Windows Hello and ‘Passport’ is your choice and you control whether to opt-in to use it,” according to the blog. The company hasn’t announced a release date yet, but it’s expected to launch over the summer months. Until then, Microsoft will have to wait to see how many people are actually willing to ditch their passwords for a facial scan. It’s possible that users will balk at the idea of giving a company their fingerprint information, even if it’s only stored locally on the phone or laptop. However, it’s also possible that consumers will follow the trends of data mining from the likes of Facebook and Google, and add their biometrics to the stash of information companies are using.